Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Minimax Image Gen
v1.1.0使用 Minimax Image API 生成图片。支持文生图、13+ 种风格预设、跨平台。 neuroXY 专属画图技能! Use when: 用户想生成图片、AI 画图、创建图像。 NOT for: 视频生成、动画制作。
⭐ 0· 212·4 current·5 all-time
byNeuroblue@bluestar-34
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, SKILL.md, and the included script all align: the tool calls a Minimax image-generation API, accepts prompts/presets, and saves/previews images. Required binary (python3) and required env var (MINIMAX_API_KEY) match the stated purpose.
Instruction Scope
The SKILL.md and script instruct reading an API key from env or from ~/.openclaw/openclaw.json (documented in SKILL.md). That's reasonable, but the runtime code explicitly disables SSL certificate verification for both the API POST and image downloads (ssl.check_hostname=False; verify_mode=ssl.CERT_NONE). This weakens transport security and could expose the API key or image data to MitM attacks. The script also attempts to read OpenClaw config files in home and parent paths — this is described in SKILL.md but means the skill will try to access local config files that may contain other credentials.
Install Mechanism
No install spec (instruction-only skill) and included Python script; nothing is downloaded or executed from arbitrary URLs during install. Standard library modules are used. Low installation risk, but runtime network activity occurs (to api.minimaxi.com).
Credentials
The skill only requires MINIMAX_API_KEY (declared as primary credential), which is proportionate. However, the code will also attempt to extract an API key from ~/.openclaw/openclaw.json and a sibling path; if that file contains other provider credentials, the skill will read them while searching for a Minimax key. This behavior is documented but increases the risk surface compared with using only an explicit env var.
Persistence & Privilege
always is false and the skill does not request persistent elevated privileges or modify other skills. It does not self-enable or write system-wide config beyond creating output files in the specified output directory.
What to consider before installing
This skill appears to do what it claims (generate images via Minimax) and only requires MINIMAX_API_KEY, but there are two things to check before installing or running it:
1) SSL verification is disabled in the script when calling the API and downloading images (ssl.check_hostname=False; verify_mode=ssl.CERT_NONE). That means an attacker on your network could intercept requests and steal your API key or responses. If you plan to use this skill, either run it only on trusted networks or edit the script to remove the lines that disable certificate verification so TLS is enforced.
2) The script will try to read ~/.openclaw/openclaw.json (and a parent-path variant) to auto-load an API key. If that file contains other credentials, the script will open it while searching for a Minimax key. To minimize risk, prefer supplying MINIMAX_API_KEY via an explicit environment variable and inspect/remove any sensitive keys from the config file first.
Other suggestions: review the full script locally before running, confirm the base_url (https://api.minimaxi.com) matches the official endpoint you expect, and run in a contained environment if you are not comfortable modifying the code. If the SSL disabling is fixed and you supply the key via env only, the skill would be coherent and lower-risk.Like a lobster shell, security has layers — review code before you run it.
latestvk977d58m2tcr4xe8wbej1h8bh5834bzw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎨 Clawdis
Binspython3
EnvMINIMAX_API_KEY
Primary envMINIMAX_API_KEY